aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--server/controllers/api/remote.js2
-rw-r--r--server/helpers/peertube-crypto.js48
-rw-r--r--server/helpers/requests.js17
-rw-r--r--server/middlewares/secure.js28
-rw-r--r--server/middlewares/validators/remote.js10
-rw-r--r--server/models/request.js3
6 files changed, 7 insertions, 101 deletions
diff --git a/server/controllers/api/remote.js b/server/controllers/api/remote.js
index 35f386ba6..f1046c534 100644
--- a/server/controllers/api/remote.js
+++ b/server/controllers/api/remote.js
@@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
15 15
16router.post('/videos', 16router.post('/videos',
17 validators.signature, 17 validators.signature,
18 validators.dataToDecrypt,
19 secureMiddleware.checkSignature, 18 secureMiddleware.checkSignature,
20 secureMiddleware.decryptBody,
21 validators.remoteVideos, 19 validators.remoteVideos,
22 remoteVideos 20 remoteVideos
23) 21)
diff --git a/server/helpers/peertube-crypto.js b/server/helpers/peertube-crypto.js
index 1ff638b04..2e07df00e 100644
--- a/server/helpers/peertube-crypto.js
+++ b/server/helpers/peertube-crypto.js
@@ -16,8 +16,6 @@ const peertubeCrypto = {
16 comparePassword, 16 comparePassword,
17 createCertsIfNotExist, 17 createCertsIfNotExist,
18 cryptPassword, 18 cryptPassword,
19 decrypt,
20 encrypt,
21 sign 19 sign
22} 20}
23 21
@@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
57 }) 55 })
58} 56}
59 57
60function decrypt (key, data, callback) {
61 fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
62 if (err) return callback(err)
63
64 const myPrivateKey = ursa.createPrivateKey(file)
65 const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
66 const decryptedData = symetricDecrypt(data, decryptedKey)
67
68 return callback(null, decryptedData)
69 })
70}
71
72function encrypt (publicKey, data, callback) {
73 const crt = ursa.createPublicKey(publicKey)
74
75 symetricEncrypt(data, function (err, dataEncrypted) {
76 if (err) return callback(err)
77
78 const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
79 const encrypted = {
80 data: dataEncrypted.crypted,
81 key: key
82 }
83
84 callback(null, encrypted)
85 })
86}
87
88function sign (data) { 58function sign (data) {
89 const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem')) 59 const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
90 const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex') 60 const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
@@ -151,21 +121,3 @@ function generatePassword (callback) {
151 callback(null, buf.toString('utf8')) 121 callback(null, buf.toString('utf8'))
152 }) 122 })
153} 123}
154
155function symetricDecrypt (text, password) {
156 const decipher = crypto.createDecipher(algorithm, password)
157 let dec = decipher.update(text, 'hex', 'utf8')
158 dec += decipher.final('utf8')
159 return dec
160}
161
162function symetricEncrypt (text, callback) {
163 generatePassword(function (err, password) {
164 if (err) return callback(err)
165
166 const cipher = crypto.createCipher(algorithm, password)
167 let crypted = cipher.update(text, 'utf8', 'hex')
168 crypted += cipher.final('hex')
169 callback(null, { crypted: crypted, password: password })
170 })
171}
diff --git a/server/helpers/requests.js b/server/helpers/requests.js
index 06109ce16..b0cda09fe 100644
--- a/server/helpers/requests.js
+++ b/server/helpers/requests.js
@@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
44 44
45 // If there are data informations 45 // If there are data informations
46 if (params.data) { 46 if (params.data) {
47 // Encrypt data 47 requestParams.json.data = params.data
48 if (params.encrypt === true) { 48 request.post(requestParams, callback)
49 peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
50 if (err) return callback(err)
51
52 requestParams.json.data = encrypted.data
53 requestParams.json.key = encrypted.key
54
55 request.post(requestParams, callback)
56 })
57 } else {
58 // No encryption
59 requestParams.json.data = params.data
60 request.post(requestParams, callback)
61 }
62 } else { 49 } else {
63 // No data 50 // No data
64 request.post(requestParams, callback) 51 request.post(requestParams, callback)
diff --git a/server/middlewares/secure.js b/server/middlewares/secure.js
index fd5bc51d6..ee836beed 100644
--- a/server/middlewares/secure.js
+++ b/server/middlewares/secure.js
@@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
7const Pod = mongoose.model('Pod') 7const Pod = mongoose.model('Pod')
8 8
9const secureMiddleware = { 9const secureMiddleware = {
10 checkSignature, 10 checkSignature
11 decryptBody
12} 11}
13 12
14function checkSignature (req, res, next) { 13function checkSignature (req, res, next) {
15 const host = req.body.signature.host 14 const host = req.body.signature.host
16 Pod.loadByHost(host, function (err, pod) { 15 Pod.loadByHost(host, function (err, pod) {
17 if (err) { 16 if (err) {
18 logger.error('Cannot get signed host in decryptBody.', { error: err }) 17 logger.error('Cannot get signed host in body.', { error: err })
19 return res.sendStatus(500) 18 return res.sendStatus(500)
20 } 19 }
21 20
@@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
24 return res.sendStatus(403) 23 return res.sendStatus(403)
25 } 24 }
26 25
27 logger.debug('Decrypting body from %s.', host) 26 logger.debug('Checking signature from %s.', host)
28 27
29 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature) 28 const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
30 29
@@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
32 return next() 31 return next()
33 } 32 }
34 33
35 logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host) 34 logger.error('Signature is not okay in body for %s.', req.body.signature.host)
36 return res.sendStatus(403) 35 return res.sendStatus(403)
37 }) 36 })
38} 37}
39 38
40function decryptBody (req, res, next) {
41 peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
42 if (err) {
43 logger.error('Cannot decrypt data.', { error: err })
44 return res.sendStatus(500)
45 }
46
47 try {
48 req.body.data = JSON.parse(decrypted)
49 delete req.body.key
50 } catch (err) {
51 logger.error('Error in JSON.parse', { error: err })
52 return res.sendStatus(500)
53 }
54
55 next()
56 })
57}
58
59// --------------------------------------------------------------------------- 39// ---------------------------------------------------------------------------
60 40
61module.exports = secureMiddleware 41module.exports = secureMiddleware
diff --git a/server/middlewares/validators/remote.js b/server/middlewares/validators/remote.js
index c6455e678..858d193cc 100644
--- a/server/middlewares/validators/remote.js
+++ b/server/middlewares/validators/remote.js
@@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
4const logger = require('../../helpers/logger') 4const logger = require('../../helpers/logger')
5 5
6const validatorsRemote = { 6const validatorsRemote = {
7 dataToDecrypt,
8 remoteVideos, 7 remoteVideos,
9 signature 8 signature
10} 9}
11 10
12function dataToDecrypt (req, res, next) {
13 req.checkBody('key', 'Should have a key').notEmpty()
14 req.checkBody('data', 'Should have data').notEmpty()
15
16 logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
17
18 checkErrors(req, res, next)
19}
20
21function remoteVideos (req, res, next) { 11function remoteVideos (req, res, next) {
22 req.checkBody('data').isEachRemoteVideosValid() 12 req.checkBody('data').isEachRemoteVideosValid()
23 13
diff --git a/server/models/request.js b/server/models/request.js
index 59bf440fe..c2cfe83ce 100644
--- a/server/models/request.js
+++ b/server/models/request.js
@@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
108 108
109 const params = { 109 const params = {
110 toPod: toPod, 110 toPod: toPod,
111 encrypt: true, // Security 111 sign: true, // Prove our identity
112 sign: true, // To prove our identity
113 method: 'POST', 112 method: 'POST',
114 path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint, 113 path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
115 data: requestsToMake // Requests we need to make 114 data: requestsToMake // Requests we need to make